diff --git a/shim.spec b/shim.spec
index bff032d7cc9275e371b5a4e8c8e6066911507ede..f4560a17d011b7145a5f67989ae5ac03fc87cd2a 100644
--- a/shim.spec
+++ b/shim.spec
@@ -25,7 +25,7 @@
 
 Name:	   	   shim
 Version:	   15.7
-Release:	   12
+Release:	   13
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@@ -34,6 +34,8 @@ Source0:	   https://github.com/rhboot/shim/releases/download/%{version}/shim-%{v
 Source1:	   BOOTAA64.CSV
 Source2:	   BOOTX64.CSV
 Source3:	   openEuler_ca.der
+Source4:	   shimaa64-cfca.efi
+Source5:	   shimx64-cfca.efi
 
 Patch1:backport-CVE-2023-40546.patch
 Patch2:backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch
@@ -76,6 +78,14 @@ Obsoletes:     shim-%{efi_arch} < %{version}-%{release}
 Initial UEFI bootloader that handles chaining to a trusted full \
 bootloader under secure boot environments.
 
+%package signed
+Summary:	signed shim
+Requires:	%{name} = %{version}-%{release}
+AutoReqProv:	0
+
+%description signed
+signed shim 
+
 %package debuginfo
 Summary:	Debug information for shim-unsigned
 Requires:	%{name}-debugsource = %{version}-%{release}
@@ -150,9 +160,11 @@ install -m 0700 *.efi ${RPM_BUILD_ROOT}/%{shimefivendor}
 install -m 0700 *.hash ${RPM_BUILD_ROOT}/%{shimefivendor}
 %ifarch aarch64
 install -m 0700 %{SOURCE1} ${RPM_BUILD_ROOT}/%{shimefivendor}
+install -m 0700 %{SOURCE4} ${RPM_BUILD_ROOT}/%{shimBOOT}/BOOTAA64_CFCA.EFI
 %endif
 %ifarch x86_64
 install -m 0700 %{SOURCE2} ${RPM_BUILD_ROOT}/%{shimefivendor}
+install -m 0700 %{SOURCE5} ${RPM_BUILD_ROOT}/%{shimBOOT}/BOOTX64_CFCA.EFI
 %endif
 %if "%{_vendor}" != "openEuler"
     iconv -f UTF-16LE -t UTF-8 ${RPM_BUILD_ROOT}/%{shimefivendor}/%{bootcsv} > /tmp/%{bootcsv}.tmp
@@ -180,6 +192,14 @@ make test
 %{shimefivendor}/*.efi
 %{shimefivendor}/*.hash
 
+%files signed
+%ifarch aarch64 
+%{shimBOOT}/BOOTAA64_CFCA.EFI
+%endif
+%ifarch x86_64
+%{shimBOOT}/BOOTX64_CFCA.EFI
+%endif
+
 %files debuginfo
 %defattr(-,root,root,-)
 /usr/lib/debug/*
@@ -191,6 +211,9 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Wed May 29 2024 jinlun <jinlun@huawei.com> -15.7-12
+- add CFCA sign shim
+
 * Fri May 17 2024 wangcheng <wangcheng156@huawei.com> - 15.7-12
 - Align section size up to page size for mem attrs
 
diff --git a/shimaa64-cfca.efi b/shimaa64-cfca.efi
new file mode 100644
index 0000000000000000000000000000000000000000..36a468df34b8c7fc25e92eebf738ea5cb1342757
Binary files /dev/null and b/shimaa64-cfca.efi differ
diff --git a/shimx64-cfca.efi b/shimx64-cfca.efi
new file mode 100644
index 0000000000000000000000000000000000000000..772d43a172ddb2012ac027fdbf66368cc3a5d68a
Binary files /dev/null and b/shimx64-cfca.efi differ